Earlier this week the Office of the Attorney General for the State of California announced an agreement with leading operators of app platforms to implement privacy principles in the app ecosystem. These principles would require mobile app privacy policies or statements to be presented to the consumer in a consistent way prior to the downloading of the app and would require app stores to create a complaints process.

The California agreement was overshadowed in the press by the White House's announcement of a Consumer Privacy Bill of Rights and the release of its report entitled "Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy," which I previously blogged about. However, the California agreement could result in significant changes to the way in which privacy policies are presented in the app ecosystem and the ability of consumers to navigate those data privacy policies and complain about privacy practices of apps.

The California Attorney General stated that the majority of mobile apps did not have a privacy policy and that the agreement would bring the industry in line with California law. The Attorney General cited the California Online Privacy Protection Act ("OPPA") which states that "[a]n operator of a commercial web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial web site or online service shall conspicuously post its privacy policy on its Web site, or in the case of an operator of an online service, make that policy available" in accordance with the provisions of OPPA. The California Attorney General's position appears to be that OPPA requires privacy policy disclosure regarding apps at the point of download.

The agreement sets out five principles:

  1. A privacy policy or statement regarding the app's privacy practices must be conspicuous posted. The policy or statement must describe how personal data is collected, used and shared.
  2. New and updated apps must have either (a) an optional data field for a hyperlink to the privacy policy or statement or (b) an optional data field for the text of the privacy policy or statement. Access to a hyper-linked privacy policy or statement must be available from the apps store.
  3. Apps stores must have provide consumers with a means to report apps that do not comply with applicable terms of service and/or laws.
  4. Apps stores must develop and implement a process for responding to reported instances of non-compliance with applicable terms of service and/or laws.
  5. Within six months, the operators of apps platforms will reconvene to evaluate privacy in the mobile space, including the utility of education programs regarding mobile privacy.

For more information, visit FMC's Data Governance Law Blog at www.datagovernancelaw.com

About Fraser Milner Casgrain LLP (FMC)

FMC is one of Canada's leading business and litigation law firms with more than 500 lawyers in six full-service offices located in the country's key business centres. We focus on providing outstanding service and value to our clients, and we strive to excel as a workplace of choice for our people. Regardless of where you choose to do business in Canada, our strong team of professionals possess knowledge and expertise on regional, national and cross-border matters. FMC's well-earned reputation for consistently delivering the highest quality legal services and counsel to our clients is complemented by an ongoing commitment to diversity and inclusion to broaden our insight and perspective on our clients' needs. Visit: www.fmc-law.com

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.